Blob Blame Raw
diff -up libaesgm-20090429/fileenc.c.BAD libaesgm-20090429/fileenc.c
--- libaesgm-20090429/fileenc.c.BAD	2010-05-24 09:53:06.255534192 -0400
+++ libaesgm-20090429/fileenc.c	2010-05-24 09:52:55.570387453 -0400
@@ -0,0 +1,145 @@
+/*
+ ---------------------------------------------------------------------------
+ Copyright (c) 2002, Dr Brian Gladman <                 >, Worcester, UK.
+ All rights reserved.
+
+ LICENSE TERMS
+
+ The free distribution and use of this software in both source and binary
+ form is allowed (with or without changes) provided that:
+
+   1. distributions of this source code include the above copyright
+      notice, this list of conditions and the following disclaimer;
+
+   2. distributions in binary form include the above copyright
+      notice, this list of conditions and the following disclaimer
+      in the documentation and/or other associated materials;
+
+   3. the copyright holder's name is not used to endorse products
+      built using this software without specific written permission.
+
+ ALTERNATIVELY, provided that this notice is retained in full, this product
+ may be distributed under the terms of the GNU General Public License (GPL),
+ in which case the provisions of the GPL apply INSTEAD OF those given above.
+
+ DISCLAIMER
+
+ This software is provided 'as is' with no explicit or implied warranties
+ in respect of its properties, including, but not limited to, correctness
+ and/or fitness for purpose.
+ -------------------------------------------------------------------------
+ Issue Date: 26/08/2003
+
+ This file implements password based file encryption and authentication 
+ using AES in CTR mode, HMAC-SHA1 authentication and RFC2898 password 
+ based key derivation.
+
+*/
+
+#include <memory.h>
+
+#include "fileenc.h"
+
+#if defined(__cplusplus)
+extern "C"
+{
+#endif
+
+/* subroutine for data encryption/decryption    */
+/* this could be speeded up a lot by aligning   */
+/* buffers and using 32 bit operations          */
+
+static void encr_data(unsigned char data[], unsigned long d_len, fcrypt_ctx cx[1])
+{   unsigned long i = 0, pos = cx->encr_pos;
+
+    while(i < d_len)
+    {
+        if(pos == BLOCK_SIZE)
+        {   unsigned int j = 0;
+            /* increment encryption nonce   */
+            while(j < 8 && !++cx->nonce[j])
+                ++j;
+            /* encrypt the nonce to form next xor buffer    */
+            aes_encrypt(cx->nonce, cx->encr_bfr, cx->encr_ctx);
+            pos = 0;
+        }
+
+        data[i++] ^= cx->encr_bfr[pos++];
+    }
+
+    cx->encr_pos = pos;
+}
+
+int fcrypt_init(
+    int mode,                               /* the mode to be used (input)          */
+    const unsigned char pwd[],              /* the user specified password (input)  */
+    unsigned int pwd_len,                   /* the length of the password (input)   */
+    const unsigned char salt[],             /* the salt (input)                     */
+#ifdef PASSWORD_VERIFIER
+    unsigned char pwd_ver[PWD_VER_LENGTH],  /* 2 byte password verifier (output)    */
+#endif
+    fcrypt_ctx      cx[1])                  /* the file encryption context (output) */
+{   unsigned char kbuf[2 * MAX_KEY_LENGTH + PWD_VER_LENGTH];
+
+    if(pwd_len > MAX_PWD_LENGTH)
+        return PASSWORD_TOO_LONG;
+
+    if(mode < 1 || mode > 3)
+        return BAD_MODE;
+
+    cx->mode = mode;
+    cx->pwd_len = pwd_len;
+    /* initialise the encryption nonce and buffer pos   */
+    cx->encr_pos = BLOCK_SIZE;
+
+	/* if we need a random component in the encryption  */
+    /* nonce, this is where it would have to be set     */
+    memset(cx->nonce, 0, BLOCK_SIZE * sizeof(unsigned char));
+	/* initialise for authentication			        */
+    hmac_sha_begin(cx->auth_ctx);
+
+	/* derive the encryption and authetication keys and the password verifier   */
+    derive_key(pwd, pwd_len, salt, SALT_LENGTH(mode), KEYING_ITERATIONS,
+                        kbuf, 2 * KEY_LENGTH(mode) + PWD_VER_LENGTH);
+    /* set the encryption key							*/
+    aes_encrypt_key(kbuf, KEY_LENGTH(mode), cx->encr_ctx);
+    /* set the authentication key						*/
+    hmac_sha_key(kbuf + KEY_LENGTH(mode), KEY_LENGTH(mode), cx->auth_ctx);
+#ifdef PASSWORD_VERIFIER
+    memcpy(pwd_ver, kbuf + 2 * KEY_LENGTH(mode), PWD_VER_LENGTH);
+#endif
+	/* clear the buffer holding the derived key values	*/
+	memset(kbuf, 0, 2 * KEY_LENGTH(mode) + PWD_VER_LENGTH);
+
+	return GOOD_RETURN;
+}
+
+/* perform 'in place' encryption and authentication */
+
+void fcrypt_encrypt(unsigned char data[], unsigned int data_len, fcrypt_ctx cx[1])
+{
+    encr_data(data, data_len, cx);
+    hmac_sha_data(data, data_len, cx->auth_ctx);
+}
+
+/* perform 'in place' authentication and decryption */
+
+void fcrypt_decrypt(unsigned char data[], unsigned int data_len, fcrypt_ctx cx[1])
+{
+    hmac_sha_data(data, data_len, cx->auth_ctx);
+    encr_data(data, data_len, cx);
+}
+
+/* close encryption/decryption and return the MAC value */
+
+int fcrypt_end(unsigned char mac[], fcrypt_ctx cx[1])
+{	unsigned int res = cx->mode;
+
+    hmac_sha_end(mac, MAC_LENGTH(cx->mode), cx->auth_ctx);
+	memset(cx, 0, sizeof(fcrypt_ctx));	/* clear the encryption context	*/
+	return MAC_LENGTH(res);				/* return MAC length in bytes   */
+}
+
+#if defined(__cplusplus)
+}
+#endif
diff -up libaesgm-20090429/fileenc.h.BAD libaesgm-20090429/fileenc.h
--- libaesgm-20090429/fileenc.h.BAD	2010-05-24 09:53:06.255534192 -0400
+++ libaesgm-20090429/fileenc.h	2010-05-24 09:56:18.801512342 -0400
@@ -0,0 +1,122 @@
+/*
+ ---------------------------------------------------------------------------
+ Copyright (c) 2002, Dr Brian Gladman <                 >, Worcester, UK.
+ All rights reserved.
+
+ LICENSE TERMS
+
+ The free distribution and use of this software in both source and binary
+ form is allowed (with or without changes) provided that:
+
+   1. distributions of this source code include the above copyright
+      notice, this list of conditions and the following disclaimer;
+
+   2. distributions in binary form include the above copyright
+      notice, this list of conditions and the following disclaimer
+      in the documentation and/or other associated materials;
+
+   3. the copyright holder's name is not used to endorse products
+      built using this software without specific written permission.
+
+ ALTERNATIVELY, provided that this notice is retained in full, this product
+ may be distributed under the terms of the GNU General Public License (GPL),
+ in which case the provisions of the GPL apply INSTEAD OF those given above.
+
+ DISCLAIMER
+
+ This software is provided 'as is' with no explicit or implied warranties
+ in respect of its properties, including, but not limited to, correctness
+ and/or fitness for purpose.
+ ---------------------------------------------------------------------------
+ Issue Date: 24/01/2003
+
+ This file contains the header file for fileenc.c, which implements password
+ based file encryption and authentication using AES in CTR mode, HMAC-SHA1 
+ authentication and RFC2898 password based key derivation.
+*/
+
+#ifndef _FENC_H
+#define _FENC_H
+
+#include "aes.h"
+#include "hmac.h"
+#include "pwd2key.h"
+
+#define	BLOCK_SIZE AES_BLOCK_SIZE
+#define PASSWORD_VERIFIER
+
+#define MAX_KEY_LENGTH        32
+#define MAX_PWD_LENGTH       128
+#define MAX_SALT_LENGTH       16
+#define KEYING_ITERATIONS   1000
+
+#ifdef  PASSWORD_VERIFIER
+#define PWD_VER_LENGTH         2
+#else
+#define PWD_VER_LENGTH         0
+#endif
+
+#define GOOD_RETURN            0
+#define PASSWORD_TOO_LONG   -100
+#define BAD_MODE            -101
+
+/*
+    Field lengths (in bytes) versus File Encryption Mode (0 < mode < 4)
+
+    Mode Key Salt  MAC Overhead
+       1  16    8   10       18
+       2  24   12   10       22
+       3  32   16   10       26
+
+   The following macros assume that the mode value is correct.
+*/
+
+#define KEY_LENGTH(mode)        (8 * (mode & 3) + 8)
+#define SALT_LENGTH(mode)       (4 * (mode & 3) + 4)
+#define MAC_LENGTH(mode)        (10)
+
+/* the context for file encryption   */
+
+#if defined(__cplusplus)
+extern "C"
+{
+#endif
+
+typedef struct
+{   unsigned char   nonce[BLOCK_SIZE];          /* the CTR nonce          */
+    unsigned char   encr_bfr[BLOCK_SIZE];       /* encrypt buffer         */
+    aes_encrypt_ctx	encr_ctx[1];                /* encryption context     */
+    hmac_ctx        auth_ctx[1];                /* authentication context */
+    unsigned int    encr_pos;                   /* block position (enc)   */
+    unsigned int    pwd_len;                    /* password length        */
+    unsigned int    mode;                       /* File encryption mode   */
+} fcrypt_ctx;
+
+/* initialise file encryption or decryption */
+
+int fcrypt_init(
+    int mode,                               /* the mode to be used (input)          */
+    const unsigned char pwd[],              /* the user specified password (input)  */
+    unsigned int pwd_len,                   /* the length of the password (input)   */
+    const unsigned char salt[],             /* the salt (input)                     */
+#ifdef PASSWORD_VERIFIER
+    unsigned char pwd_ver[PWD_VER_LENGTH],  /* 2 byte password verifier (output)    */
+#endif
+    fcrypt_ctx      cx[1]);                 /* the file encryption context (output) */
+
+/* perform 'in place' encryption or decryption and authentication               */
+
+void fcrypt_encrypt(unsigned char data[], unsigned int data_len, fcrypt_ctx cx[1]);
+void fcrypt_decrypt(unsigned char data[], unsigned int data_len, fcrypt_ctx cx[1]);
+
+/* close encryption/decryption and return the MAC value */
+/* the return value is the length of the MAC            */
+
+int fcrypt_end(unsigned char mac[],     /* the MAC value (output)   */
+               fcrypt_ctx cx[1]);       /* the context (input)      */
+
+#if defined(__cplusplus)
+}
+#endif
+
+#endif
diff -up libaesgm-20090429/hmac.c.BAD libaesgm-20090429/hmac.c
--- libaesgm-20090429/hmac.c.BAD	2010-05-24 09:37:00.605385987 -0400
+++ libaesgm-20090429/hmac.c	2010-05-24 09:36:55.549386057 -0400
@@ -0,0 +1,145 @@
+/*
+ ---------------------------------------------------------------------------
+ Copyright (c) 2002, Dr Brian Gladman <                 >, Worcester, UK.
+ All rights reserved.
+
+ LICENSE TERMS
+
+ The free distribution and use of this software in both source and binary
+ form is allowed (with or without changes) provided that:
+
+   1. distributions of this source code include the above copyright
+      notice, this list of conditions and the following disclaimer;
+
+   2. distributions in binary form include the above copyright
+      notice, this list of conditions and the following disclaimer
+      in the documentation and/or other associated materials;
+
+   3. the copyright holder's name is not used to endorse products
+      built using this software without specific written permission.
+
+ ALTERNATIVELY, provided that this notice is retained in full, this product
+ may be distributed under the terms of the GNU General Public License (GPL),
+ in which case the provisions of the GPL apply INSTEAD OF those given above.
+
+ DISCLAIMER
+
+ This software is provided 'as is' with no explicit or implied warranties
+ in respect of its properties, including, but not limited to, correctness
+ and/or fitness for purpose.
+ ---------------------------------------------------------------------------
+ Issue Date: 26/08/2003
+
+ This is an implementation of HMAC, the FIPS standard keyed hash function
+*/
+
+#include "hmac.h"
+
+#if defined(__cplusplus)
+extern "C"
+{
+#endif
+
+/* initialise the HMAC context to zero */
+void hmac_sha_begin(hmac_ctx cx[1])
+{
+    memset(cx, 0, sizeof(hmac_ctx));
+}
+
+/* input the HMAC key (can be called multiple times)    */
+int hmac_sha_key(const unsigned char key[], unsigned long key_len, hmac_ctx cx[1])
+{
+    if(cx->klen == HMAC_IN_DATA)                /* error if further key input   */
+        return HMAC_BAD_MODE;                   /* is attempted in data mode    */
+
+    if(cx->klen + key_len > HASH_INPUT_SIZE)    /* if the key has to be hashed  */
+    {
+        if(cx->klen <= HASH_INPUT_SIZE)         /* if the hash has not yet been */
+        {                                       /* started, initialise it and   */
+            sha_begin(cx->ctx);                /* hash stored key characters   */
+            sha_hash(cx->key, cx->klen, cx->ctx);
+        }
+
+        sha_hash(key, key_len, cx->ctx);       /* hash long key data into hash */
+    }
+    else                                        /* otherwise store key data     */
+        memcpy(cx->key + cx->klen, key, key_len);
+
+    cx->klen += key_len;                        /* update the key length count  */
+    return HMAC_OK;
+}
+
+/* input the HMAC data (can be called multiple times) - */
+/* note that this call terminates the key input phase   */
+void hmac_sha_data(const unsigned char data[], unsigned long data_len, hmac_ctx cx[1])
+{   unsigned int i;
+
+    if(cx->klen != HMAC_IN_DATA)                /* if not yet in data phase */
+    {
+        if(cx->klen > HASH_INPUT_SIZE)          /* if key is being hashed   */
+        {                                       /* complete the hash and    */
+            sha_end(cx->key, cx->ctx);         /* store the result as the  */
+            cx->klen = HASH_OUTPUT_SIZE;        /* key and set new length   */
+        }
+
+        /* pad the key if necessary */
+        memset(cx->key + cx->klen, 0, HASH_INPUT_SIZE - cx->klen);
+
+        /* xor ipad into key value  */
+        for(i = 0; i < (HASH_INPUT_SIZE >> 2); ++i)
+            ((unsigned long*)cx->key)[i] ^= 0x36363636;
+
+        /* and start hash operation */
+        sha_begin(cx->ctx);
+        sha_hash(cx->key, HASH_INPUT_SIZE, cx->ctx);
+
+        /* mark as now in data mode */
+        cx->klen = HMAC_IN_DATA;
+    }
+
+    /* hash the data (if any)       */
+    if(data_len)
+        sha_hash(data, data_len, cx->ctx);
+}
+
+/* compute and output the MAC value */
+void hmac_sha_end(unsigned char mac[], unsigned long mac_len, hmac_ctx cx[1])
+{   unsigned char dig[HASH_OUTPUT_SIZE];
+    unsigned int i;
+
+    /* if no data has been entered perform a null data phase        */
+    if(cx->klen != HMAC_IN_DATA)
+        hmac_sha_data((const unsigned char*)0, 0, cx);
+
+    sha_end(dig, cx->ctx);         /* complete the inner hash      */
+
+    /* set outer key value using opad and removing ipad */
+    for(i = 0; i < (HASH_INPUT_SIZE >> 2); ++i)
+        ((unsigned long*)cx->key)[i] ^= 0x36363636 ^ 0x5c5c5c5c;
+
+    /* perform the outer hash operation */
+    sha_begin(cx->ctx);
+    sha_hash(cx->key, HASH_INPUT_SIZE, cx->ctx);
+    sha_hash(dig, HASH_OUTPUT_SIZE, cx->ctx);
+    sha_end(dig, cx->ctx);
+
+    /* output the hash value            */
+    for(i = 0; i < mac_len; ++i)
+        mac[i] = dig[i];
+}
+
+/* 'do it all in one go' subroutine     */
+void hmac_sha(const unsigned char key[], unsigned long key_len,
+          const unsigned char data[], unsigned long data_len,
+          unsigned char mac[], unsigned long mac_len)
+{   hmac_ctx    cx[1];
+
+    hmac_sha_begin(cx);
+    hmac_sha_key(key, key_len, cx);
+    hmac_sha_data(data, data_len, cx);
+    hmac_sha_end(mac, mac_len, cx);
+}
+
+#if defined(__cplusplus)
+}
+#endif
diff -up libaesgm-20090429/hmac.h.BAD libaesgm-20090429/hmac.h
--- libaesgm-20090429/hmac.h.BAD	2010-05-24 09:34:05.695387664 -0400
+++ libaesgm-20090429/hmac.h	2010-05-24 09:34:01.466510795 -0400
@@ -0,0 +1,102 @@
+/*
+ ---------------------------------------------------------------------------
+ Copyright (c) 2002, Dr Brian Gladman <                 >, Worcester, UK.
+ All rights reserved.
+
+ LICENSE TERMS
+
+ The free distribution and use of this software in both source and binary
+ form is allowed (with or without changes) provided that:
+
+   1. distributions of this source code include the above copyright
+      notice, this list of conditions and the following disclaimer;
+
+   2. distributions in binary form include the above copyright
+      notice, this list of conditions and the following disclaimer
+      in the documentation and/or other associated materials;
+
+   3. the copyright holder's name is not used to endorse products
+      built using this software without specific written permission.
+
+ ALTERNATIVELY, provided that this notice is retained in full, this product
+ may be distributed under the terms of the GNU General Public License (GPL),
+ in which case the provisions of the GPL apply INSTEAD OF those given above.
+
+ DISCLAIMER
+
+ This software is provided 'as is' with no explicit or implied warranties
+ in respect of its properties, including, but not limited to, correctness
+ and/or fitness for purpose.
+ ---------------------------------------------------------------------------
+ Issue Date: 26/08/2003
+
+ This is an implementation of HMAC, the FIPS standard keyed hash function
+*/
+
+#ifndef _HMAC_H
+#define _HMAC_H
+
+#include <memory.h>
+
+#if defined(__cplusplus)
+extern "C"
+{
+#endif
+
+#if !defined(USE_SHA1) && !defined(USE_SHA256)
+#error define USE_SHA1 or USE_SHA256 to set the HMAC hash algorithm
+#endif
+
+#ifdef USE_SHA1
+
+#include "sha1.h"
+
+#define HASH_INPUT_SIZE     SHA1_BLOCK_SIZE
+#define HASH_OUTPUT_SIZE    SHA1_DIGEST_SIZE
+#define sha_ctx             sha1_ctx
+#define sha_begin           sha1_begin
+#define sha_hash            sha1_hash
+#define sha_end             sha1_end
+
+#endif
+
+#ifdef USE_SHA256
+
+#include "sha2.h"
+
+#define HASH_INPUT_SIZE     SHA256_BLOCK_SIZE
+#define HASH_OUTPUT_SIZE    SHA256_DIGEST_SIZE
+#define sha_ctx             sha256_ctx
+#define sha_begin           sha256_begin
+#define sha_hash            sha256_hash
+#define sha_end             sha256_end
+
+#endif
+
+#define HMAC_OK                0
+#define HMAC_BAD_MODE         -1
+#define HMAC_IN_DATA  0xffffffff
+
+typedef struct
+{   unsigned char   key[HASH_INPUT_SIZE];
+    sha_ctx         ctx[1];
+    unsigned long   klen;
+} hmac_ctx;
+
+void hmac_sha_begin(hmac_ctx cx[1]);
+
+int  hmac_sha_key(const unsigned char key[], unsigned long key_len, hmac_ctx cx[1]);
+
+void hmac_sha_data(const unsigned char data[], unsigned long data_len, hmac_ctx cx[1]);
+
+void hmac_sha_end(unsigned char mac[], unsigned long mac_len, hmac_ctx cx[1]);
+
+void hmac_sha(const unsigned char key[], unsigned long key_len,
+          const unsigned char data[], unsigned long data_len,
+          unsigned char mac[], unsigned long mac_len);
+
+#if defined(__cplusplus)
+}
+#endif
+
+#endif
diff -up libaesgm-20090429/Makefile.BAD libaesgm-20090429/Makefile
--- libaesgm-20090429/Makefile.BAD	2010-05-24 09:34:28.198386197 -0400
+++ libaesgm-20090429/Makefile	2010-05-24 09:56:55.525397596 -0400
@@ -8,7 +8,7 @@ VERSION = $(VERSION_MAJOR).$(VERSION_MIN
 
 SHARED_LIB = libaesgm.so
 
-LIBAESGM = aescrypt.o aeskey.o aes_modes.o aestab.o
+LIBAESGM = aescrypt.o aeskey.o aes_modes.o aestab.o fileenc.o hmac.o pwd2key.o sha1.o sha2.o
 LINKOBJ = $(LIBAESGM)
 
 PREFIX = /usr
diff -up libaesgm-20090429/pwd2key.c.BAD libaesgm-20090429/pwd2key.c
--- libaesgm-20090429/pwd2key.c.BAD	2010-05-24 09:56:41.951387734 -0400
+++ libaesgm-20090429/pwd2key.c	2010-05-24 09:56:34.042512473 -0400
@@ -0,0 +1,194 @@
+/*
+ ---------------------------------------------------------------------------
+ Copyright (c) 2002, Dr Brian Gladman <                 >, Worcester, UK.
+ All rights reserved.
+
+ LICENSE TERMS
+
+ The free distribution and use of this software in both source and binary
+ form is allowed (with or without changes) provided that:
+
+   1. distributions of this source code include the above copyright
+      notice, this list of conditions and the following disclaimer;
+
+   2. distributions in binary form include the above copyright
+      notice, this list of conditions and the following disclaimer
+      in the documentation and/or other associated materials;
+
+   3. the copyright holder's name is not used to endorse products
+      built using this software without specific written permission.
+
+ ALTERNATIVELY, provided that this notice is retained in full, this product
+ may be distributed under the terms of the GNU General Public License (GPL),
+ in which case the provisions of the GPL apply INSTEAD OF those given above.
+
+ DISCLAIMER
+
+ This software is provided 'as is' with no explicit or implied warranties
+ in respect of its properties, including, but not limited to, correctness
+ and/or fitness for purpose.
+ ---------------------------------------------------------------------------
+ Issue Date: 26/08/2003
+
+ This is an implementation of RFC2898, which specifies key derivation from
+ a password and a salt value.
+*/
+
+#include <memory.h>
+#include "hmac.h"
+
+#if defined(__cplusplus)
+extern "C"
+{
+#endif
+
+void derive_key(const unsigned char pwd[],  /* the PASSWORD     */
+               unsigned int pwd_len,        /* and its length   */
+               const unsigned char salt[],  /* the SALT and its */
+               unsigned int salt_len,       /* length           */
+               unsigned int iter,   /* the number of iterations */
+               unsigned char key[], /* space for the output key */
+               unsigned int key_len)/* and its required length  */
+{
+    unsigned int    i, j, k, n_blk;
+    unsigned char uu[HASH_OUTPUT_SIZE], ux[HASH_OUTPUT_SIZE];
+    hmac_ctx c1[1], c2[1], c3[1];
+
+    /* set HMAC context (c1) for password               */
+    hmac_sha_begin(c1);
+    hmac_sha_key(pwd, pwd_len, c1);
+
+    /* set HMAC context (c2) for password and salt      */
+    memcpy(c2, c1, sizeof(hmac_ctx));
+    hmac_sha_data(salt, salt_len, c2);
+
+    /* find the number of SHA blocks in the key         */
+    n_blk = 1 + (key_len - 1) / HASH_OUTPUT_SIZE;
+
+    for(i = 0; i < n_blk; ++i) /* for each block in key */
+    {
+        /* ux[] holds the running xor value             */
+        memset(ux, 0, HASH_OUTPUT_SIZE);
+
+        /* set HMAC context (c3) for password and salt  */
+        memcpy(c3, c2, sizeof(hmac_ctx));
+
+        /* enter additional data for 1st block into uu  */
+        uu[0] = (unsigned char)((i + 1) >> 24);
+        uu[1] = (unsigned char)((i + 1) >> 16);
+        uu[2] = (unsigned char)((i + 1) >> 8);
+        uu[3] = (unsigned char)(i + 1);
+
+        /* this is the key mixing iteration         */
+        for(j = 0, k = 4; j < iter; ++j)
+        {
+            /* add previous round data to HMAC      */
+            hmac_sha_data(uu, k, c3);
+
+            /* obtain HMAC for uu[]                 */
+            hmac_sha_end(uu, HASH_OUTPUT_SIZE, c3);
+
+            /* xor into the running xor block       */
+            for(k = 0; k < HASH_OUTPUT_SIZE; ++k)
+                ux[k] ^= uu[k];
+
+            /* set HMAC context (c3) for password   */
+            memcpy(c3, c1, sizeof(hmac_ctx));
+        }
+
+        /* compile key blocks into the key output   */
+        j = 0; k = i * HASH_OUTPUT_SIZE;
+        while(j < HASH_OUTPUT_SIZE && k < key_len)
+            key[k++] = ux[j++];
+    }
+}
+
+#ifdef TEST
+
+#include <stdio.h>
+
+struct
+{   unsigned int    pwd_len;
+    unsigned int    salt_len;
+    unsigned int    it_count;
+    unsigned char   *pwd;
+    unsigned char   salt[32];
+    unsigned char   key[32];
+} tests[] =
+{
+    {   8, 4, 5, (unsigned char*)"password",
+        {   
+            0x12, 0x34, 0x56, 0x78 
+        },
+        {   
+            0x5c, 0x75, 0xce, 0xf0, 0x1a, 0x96, 0x0d, 0xf7,
+            0x4c, 0xb6, 0xb4, 0x9b, 0x9e, 0x38, 0xe6, 0xb5 
+        }
+    },
+    {   8, 8, 5, (unsigned char*)"password",
+        {   
+            0x12, 0x34, 0x56, 0x78, 0x78, 0x56, 0x34, 0x12 
+        },
+        {   
+            0xd1, 0xda, 0xa7, 0x86, 0x15, 0xf2, 0x87, 0xe6,
+            0xa1, 0xc8, 0xb1, 0x20, 0xd7, 0x06, 0x2a, 0x49 
+        }
+    },
+    {   8, 21, 1, (unsigned char*)"password",
+        {
+            "ATHENA.MIT.EDUraeburn"
+        },
+        {
+            0xcd, 0xed, 0xb5, 0x28, 0x1b, 0xb2, 0xf8, 0x01,
+            0x56, 0x5a, 0x11, 0x22, 0xb2, 0x56, 0x35, 0x15
+        }
+    },
+    {   8, 21, 2, (unsigned char*)"password",
+        {
+            "ATHENA.MIT.EDUraeburn"
+        },
+        {
+            0x01, 0xdb, 0xee, 0x7f, 0x4a, 0x9e, 0x24, 0x3e, 
+            0x98, 0x8b, 0x62, 0xc7, 0x3c, 0xda, 0x93, 0x5d
+        }
+    },
+    {   8, 21, 1200, (unsigned char*)"password",
+        {
+            "ATHENA.MIT.EDUraeburn"
+        },
+        {
+            0x5c, 0x08, 0xeb, 0x61, 0xfd, 0xf7, 0x1e, 0x4e, 
+            0x4e, 0xc3, 0xcf, 0x6b, 0xa1, 0xf5, 0x51, 0x2b
+        }
+    }
+};
+
+int main()
+{   unsigned int    i, j, key_len = 256;
+    unsigned char   key[256];
+
+    printf("\nTest of RFC2898 Password Based Key Derivation");
+    for(i = 0; i < 5; ++i)
+    {
+        derive_key(tests[i].pwd, tests[i].pwd_len, tests[i].salt,
+                    tests[i].salt_len, tests[i].it_count, key, key_len);
+
+        printf("\ntest %i: ", i + 1);
+        printf("key %s", memcmp(tests[i].key, key, 16) ? "is bad" : "is good");
+        for(j = 0; j < key_len && j < 64; j += 4)
+        {
+            if(j % 16 == 0)
+                printf("\n");
+            printf("0x%02x%02x%02x%02x ", key[j], key[j + 1], key[j + 2], key[j + 3]);
+        }
+        printf(j < key_len ? " ... \n" : "\n");
+    }
+    printf("\n");
+    return 0;
+}
+
+#if defined(__cplusplus)
+}
+#endif
+
+#endif
diff -up libaesgm-20090429/pwd2key.h.BAD libaesgm-20090429/pwd2key.h
--- libaesgm-20090429/pwd2key.h.BAD	2010-05-24 09:56:41.954478668 -0400
+++ libaesgm-20090429/pwd2key.h	2010-05-24 09:56:34.043512682 -0400
@@ -0,0 +1,58 @@
+/*
+ ---------------------------------------------------------------------------
+ Copyright (c) 2002, Dr Brian Gladman <                 >, Worcester, UK.
+ All rights reserved.
+
+ LICENSE TERMS
+
+ The free distribution and use of this software in both source and binary 
+ form is allowed (with or without changes) provided that:
+
+   1. distributions of this source code include the above copyright 
+      notice, this list of conditions and the following disclaimer;
+
+   2. distributions in binary form include the above copyright
+      notice, this list of conditions and the following disclaimer
+      in the documentation and/or other associated materials;
+
+   3. the copyright holder's name is not used to endorse products 
+      built using this software without specific written permission. 
+
+ ALTERNATIVELY, provided that this notice is retained in full, this product
+ may be distributed under the terms of the GNU General Public License (GPL),
+ in which case the provisions of the GPL apply INSTEAD OF those given above.
+ 
+ DISCLAIMER
+
+ This software is provided 'as is' with no explicit or implied warranties
+ in respect of its properties, including, but not limited to, correctness 
+ and/or fitness for purpose.
+ ---------------------------------------------------------------------------
+ Issue Date: 26/08/2003
+
+ This is an implementation of RFC2898, which specifies key derivation from
+ a password and a salt value.
+*/
+
+#ifndef PWD2KEY_H
+#define PWD2KEY_H
+
+#if defined(__cplusplus)
+extern "C"
+{
+#endif
+
+void derive_key(
+        const unsigned char pwd[],   /* the PASSWORD, and   */
+        unsigned int pwd_len,        /*    its length       */ 
+        const unsigned char salt[],  /* the SALT and its    */
+        unsigned int salt_len,       /*    length           */
+        unsigned int iter,      /* the number of iterations */
+        unsigned char key[],    /* space for the output key */
+        unsigned int key_len);  /* and its required length  */
+
+#if defined(__cplusplus)
+}
+#endif
+
+#endif
diff -up libaesgm-20090429/sha1.c.BAD libaesgm-20090429/sha1.c
--- libaesgm-20090429/sha1.c.BAD	2010-05-24 09:35:26.415540411 -0400
+++ libaesgm-20090429/sha1.c	2010-05-24 09:35:05.496512680 -0400
@@ -0,0 +1,323 @@
+/*
+ ---------------------------------------------------------------------------
+ Copyright (c) 2002, Dr Brian Gladman <                 >, Worcester, UK.
+ All rights reserved.
+
+ LICENSE TERMS
+
+ The free distribution and use of this software in both source and binary 
+ form is allowed (with or without changes) provided that:
+
+   1. distributions of this source code include the above copyright 
+      notice, this list of conditions and the following disclaimer;
+
+   2. distributions in binary form include the above copyright
+      notice, this list of conditions and the following disclaimer
+      in the documentation and/or other associated materials;
+
+   3. the copyright holder's name is not used to endorse products 
+      built using this software without specific written permission. 
+
+ ALTERNATIVELY, provided that this notice is retained in full, this product
+ may be distributed under the terms of the GNU General Public License (GPL),
+ in which case the provisions of the GPL apply INSTEAD OF those given above.
+ 
+ DISCLAIMER
+
+ This software is provided 'as is' with no explicit or implied warranties
+ in respect of its properties, including, but not limited to, correctness 
+ and/or fitness for purpose.
+ ---------------------------------------------------------------------------
+ Issue Date: 26/08/2003
+
+ This is a byte oriented version of SHA1 that operates on arrays of bytes
+ stored in memory. It runs at 22 cycles per byte on a Pentium P4 processor
+*/
+
+#include <string.h>     /* for memcpy() etc.        */
+#include <stdlib.h>     /* for _lrotl with VC++     */
+
+#include "sha1.h"
+
+#if defined(__cplusplus)
+extern "C"
+{
+#endif
+
+/*
+    To obtain the highest speed on processors with 32-bit words, this code 
+    needs to determine the order in which bytes are packed into such words.
+    The following block of code is an attempt to capture the most obvious 
+    ways in which various environemnts specify their endian definitions. 
+    It may well fail, in which case the definitions will need to be set by 
+    editing at the points marked **** EDIT HERE IF NECESSARY **** below.
+*/
+/*  PLATFORM SPECIFIC INCLUDES */
+
+#if defined( __FreeBSD__ ) || defined( __OpenBSD__ )
+#  include <sys/endian.h>
+#elif defined( BSD ) && ( BSD >= 199103 )
+#  include <machine/endian.h>
+#elif defined( __GNUC__ ) || defined( __GNU_LIBRARY__ )
+#  include <endian.h>
+#  include <byteswap.h>
+#elif defined( linux )
+#  include <endian.h>
+#endif
+
+/*  BYTE ORDER IN 32-BIT WORDS
+
+    To obtain the highest speed on processors with 32-bit words, this code
+    needs to determine the byte order of the target machine. The following 
+    block of code is an attempt to capture the most obvious ways in which 
+    various environemnts define byte order. It may well fail, in which case 
+    the definitions will need to be set by editing at the points marked 
+    **** EDIT HERE IF NECESSARY **** below.  My thanks to Peter Gutmann for 
+    some of these defines (from cryptlib).
+*/
+
+#define BRG_LITTLE_ENDIAN   1234 /* byte 0 is least significant (i386) */
+#define BRG_BIG_ENDIAN      4321 /* byte 0 is most significant (mc68k) */
+
+#if defined( __alpha__ ) || defined( __alpha ) || defined( i386 )       ||   \
+    defined( __i386__ )  || defined( _M_I86 )  || defined( _M_IX86 )    ||   \
+    defined( __OS2__ )   || defined( sun386 )  || defined( __TURBOC__ ) ||   \
+    defined( vax )       || defined( vms )     || defined( VMS )        ||   \
+    defined( __VMS ) 
+
+#define PLATFORM_BYTE_ORDER BRG_LITTLE_ENDIAN
+
+#endif
+
+#if defined( AMIGA )    || defined( applec )  || defined( __AS400__ )  ||   \
+    defined( _CRAY )    || defined( __hppa )  || defined( __hp9000 )   ||   \
+    defined( ibm370 )   || defined( mc68000 ) || defined( m68k )       ||   \
+    defined( __MRC__ )  || defined( __MVS__ ) || defined( __MWERKS__ ) ||   \
+    defined( sparc )    || defined( __sparc)  || defined( SYMANTEC_C ) ||   \
+    defined( __TANDEM ) || defined( THINK_C ) || defined( __VMCMS__ )
+    
+#define PLATFORM_BYTE_ORDER BRG_BIG_ENDIAN
+
+#endif
+
+/*  if the platform is still not known, try to find its byte order  */
+/*  from commonly used definitions in the headers included earlier  */
+
+#if !defined(PLATFORM_BYTE_ORDER)
+
+#if defined(LITTLE_ENDIAN) || defined(BIG_ENDIAN)
+#  if    defined(LITTLE_ENDIAN) && !defined(BIG_ENDIAN)
+#    define PLATFORM_BYTE_ORDER BRG_LITTLE_ENDIAN
+#  elif !defined(LITTLE_ENDIAN) &&  defined(BIG_ENDIAN)
+#    define PLATFORM_BYTE_ORDER BRG_BIG_ENDIAN
+#  elif defined(BYTE_ORDER) && (BYTE_ORDER == LITTLE_ENDIAN)
+#    define PLATFORM_BYTE_ORDER BRG_LITTLE_ENDIAN
+#  elif defined(BYTE_ORDER) && (BYTE_ORDER == BIG_ENDIAN)
+#    define PLATFORM_BYTE_ORDER BRG_BIG_ENDIAN
+#  endif
+
+#elif defined(_LITTLE_ENDIAN) || defined(_BIG_ENDIAN)
+#  if    defined(_LITTLE_ENDIAN) && !defined(_BIG_ENDIAN)
+#    define PLATFORM_BYTE_ORDER BRG_LITTLE_ENDIAN
+#  elif !defined(_LITTLE_ENDIAN) &&  defined(_BIG_ENDIAN)
+#    define PLATFORM_BYTE_ORDER BRG_BIG_ENDIAN
+#  elif defined(_BYTE_ORDER) && (_BYTE_ORDER == _LITTLE_ENDIAN)
+#    define PLATFORM_BYTE_ORDER BRG_LITTLE_ENDIAN
+#  elif defined(_BYTE_ORDER) && (_BYTE_ORDER == _BIG_ENDIAN)
+#    define PLATFORM_BYTE_ORDER BRG_BIG_ENDIAN
+#  endif
+
+#elif defined(__LITTLE_ENDIAN__) || defined(__BIG_ENDIAN__)
+#  if    defined(__LITTLE_ENDIAN__) && !defined(__BIG_ENDIAN__)
+#    define PLATFORM_BYTE_ORDER BRG_LITTLE_ENDIAN
+#  elif !defined(__LITTLE_ENDIAN__) &&  defined(__BIG_ENDIAN__)
+#    define PLATFORM_BYTE_ORDER BRG_BIG_ENDIAN
+#  elif defined(__BYTE_ORDER__) && (__BYTE_ORDER__ == __LITTLE_ENDIAN__)
+#    define PLATFORM_BYTE_ORDER BRG_LITTLE_ENDIAN
+#  elif defined(__BYTE_ORDER__) && (__BYTE_ORDER__ == __BIG_ENDIAN__)
+#    define PLATFORM_BYTE_ORDER BRG_BIG_ENDIAN
+#  endif
+
+#elif 0     /* **** EDIT HERE IF NECESSARY **** */
+#define PLATFORM_BYTE_ORDER BRG_LITTLE_ENDIAN
+
+#elif 0     /* **** EDIT HERE IF NECESSARY **** */
+#define PLATFORM_BYTE_ORDER BRG_BIG_ENDIAN
+
+#else
+#error Please edit sha1.c (line 141 or 144) to set the platform byte order
+#endif
+
+#endif
+
+#define rotl32(x,n) (((x) << n) | ((x) >> (32 - n)))
+
+#if (PLATFORM_BYTE_ORDER == BRG_BIG_ENDIAN)
+#define swap_b32(x) (x)
+#elif defined(bswap_32)
+#define swap_b32(x) bswap_32(x)
+#else
+#define swap_b32(x) ((rotl32((x), 8) & 0x00ff00ff) | (rotl32((x), 24) & 0xff00ff00))
+#endif
+
+#define SHA1_MASK   (SHA1_BLOCK_SIZE - 1)
+
+#if 1
+
+#define ch(x,y,z)       (((x) & (y)) ^ (~(x) & (z)))
+#define parity(x,y,z)   ((x) ^ (y) ^ (z))
+#define maj(x,y,z)      (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
+
+#else   /* Discovered Rich Schroeppel and Colin Plumb   */
+
+#define ch(x,y,z)       ((z) ^ ((x) & ((y) ^ (z))))
+#define parity(x,y,z)   ((x) ^ (y) ^ (z))
+#define maj(x,y,z)      (((x) & (y)) | ((z) & ((x) ^ (y))))
+
+#endif
+
+/* A normal version as set out in the FIPS  */
+
+#define rnd(f,k)    \
+    t = a; a = rotl32(a,5) + f(b,c,d) + e + k + w[i]; \
+    e = d; d = c; c = rotl32(b, 30); b = t
+
+void sha1_compile(sha1_ctx ctx[1])
+{   sha1_32t    w[80], i, a, b, c, d, e, t;
+
+    /* note that words are compiled from the buffer into 32-bit */
+    /* words in big-endian order so an order reversal is needed */
+    /* here on little endian machines                           */
+    for(i = 0; i < SHA1_BLOCK_SIZE / 4; ++i)
+        w[i] = swap_b32(ctx->wbuf[i]);
+
+    for(i = SHA1_BLOCK_SIZE / 4; i < 80; ++i)
+        w[i] = rotl32(w[i - 3] ^ w[i - 8] ^ w[i - 14] ^ w[i - 16], 1);
+
+    a = ctx->hash[0];
+    b = ctx->hash[1];
+    c = ctx->hash[2];
+    d = ctx->hash[3];
+    e = ctx->hash[4];
+
+    for(i = 0; i < 20; ++i)
+    {
+        rnd(ch, 0x5a827999);    
+    }
+
+    for(i = 20; i < 40; ++i)
+    {
+        rnd(parity, 0x6ed9eba1);
+    }
+
+    for(i = 40; i < 60; ++i)
+    {
+        rnd(maj, 0x8f1bbcdc);
+    }
+
+    for(i = 60; i < 80; ++i)
+    {
+        rnd(parity, 0xca62c1d6);
+    }
+
+    ctx->hash[0] += a; 
+    ctx->hash[1] += b; 
+    ctx->hash[2] += c; 
+    ctx->hash[3] += d; 
+    ctx->hash[4] += e;
+}
+
+void sha1_begin(sha1_ctx ctx[1])
+{
+    ctx->count[0] = ctx->count[1] = 0;
+    ctx->hash[0] = 0x67452301;
+    ctx->hash[1] = 0xefcdab89;
+    ctx->hash[2] = 0x98badcfe;
+    ctx->hash[3] = 0x10325476;
+    ctx->hash[4] = 0xc3d2e1f0;
+}
+
+/* SHA1 hash data in an array of bytes into hash buffer and */
+/* call the hash_compile function as required.              */
+
+void sha1_hash(const unsigned char data[], unsigned long len, sha1_ctx ctx[1])
+{   sha1_32t pos = (sha1_32t)(ctx->count[0] & SHA1_MASK), 
+             space = SHA1_BLOCK_SIZE - pos;
+    const unsigned char *sp = data;
+
+    if((ctx->count[0] += len) < len)
+        ++(ctx->count[1]);
+
+    while(len >= space)     /* tranfer whole blocks if possible  */
+    {
+        memcpy(((unsigned char*)ctx->wbuf) + pos, sp, space);
+        sp += space; len -= space; space = SHA1_BLOCK_SIZE; pos = 0; 
+        sha1_compile(ctx);
+    }
+
+    /*lint -e{803} conceivable data overrun */
+    memcpy(((unsigned char*)ctx->wbuf) + pos, sp, len);
+}
+
+/* SHA1 final padding and digest calculation  */
+
+#if (PLATFORM_BYTE_ORDER == BRG_LITTLE_ENDIAN)
+static sha1_32t  mask[4] = 
+    {   0x00000000, 0x000000ff, 0x0000ffff, 0x00ffffff };
+static sha1_32t  bits[4] = 
+    {   0x00000080, 0x00008000, 0x00800000, 0x80000000 };
+#else
+static sha1_32t  mask[4] = 
+    {   0x00000000, 0xff000000, 0xffff0000, 0xffffff00 };
+static sha1_32t  bits[4] = 
+    {   0x80000000, 0x00800000, 0x00008000, 0x00000080 };
+#endif
+
+void sha1_end(unsigned char hval[], sha1_ctx ctx[1])
+{   sha1_32t    i = (sha1_32t)(ctx->count[0] & SHA1_MASK);
+
+    /* mask out the rest of any partial 32-bit word and then set    */
+    /* the next byte to 0x80. On big-endian machines any bytes in   */
+    /* the buffer will be at the top end of 32 bit words, on little */
+    /* endian machines they will be at the bottom. Hence the AND    */
+    /* and OR masks above are reversed for little endian systems    */
+    /* Note that we can always add the first padding byte at this   */
+    /* point because the buffer always has at least one empty slot  */ 
+    ctx->wbuf[i >> 2] = (ctx->wbuf[i >> 2] & mask[i & 3]) | bits[i & 3];
+
+    /* we need 9 or more empty positions, one for the padding byte  */
+    /* (above) and eight for the length count.  If there is not     */
+    /* enough space pad and empty the buffer                        */
+    if(i > SHA1_BLOCK_SIZE - 9)
+    {
+        if(i < 60) ctx->wbuf[15] = 0;
+        sha1_compile(ctx);
+        i = 0;
+    }
+    else    /* compute a word index for the empty buffer positions  */
+        i = (i >> 2) + 1;
+
+    while(i < 14) /* and zero pad all but last two positions        */ 
+        ctx->wbuf[i++] = 0;
+    
+    /* assemble the eight byte counter in in big-endian format      */
+    ctx->wbuf[14] = swap_b32((ctx->count[1] << 3) | (ctx->count[0] >> 29));
+    ctx->wbuf[15] = swap_b32(ctx->count[0] << 3);
+
+    sha1_compile(ctx);
+
+    /* extract the hash value as bytes in case the hash buffer is   */
+    /* misaligned for 32-bit words                                  */
+    for(i = 0; i < SHA1_DIGEST_SIZE; ++i)
+        hval[i] = (unsigned char)(ctx->hash[i >> 2] >> (8 * (~i & 3)));
+}
+
+void sha1(unsigned char hval[], const unsigned char data[], unsigned long len)
+{   sha1_ctx    cx[1];
+
+    sha1_begin(cx); sha1_hash(data, len, cx); sha1_end(hval, cx);
+}
+
+#if defined(__cplusplus)
+}
+#endif
diff -up libaesgm-20090429/sha1.h.BAD libaesgm-20090429/sha1.h
--- libaesgm-20090429/sha1.h.BAD	2010-05-24 09:35:26.415540411 -0400
+++ libaesgm-20090429/sha1.h	2010-05-24 09:35:05.496512680 -0400
@@ -0,0 +1,76 @@
+/*
+ ---------------------------------------------------------------------------
+ Copyright (c) 2002, Dr Brian Gladman <                 >, Worcester, UK.
+ All rights reserved.
+
+ LICENSE TERMS
+
+ The free distribution and use of this software in both source and binary 
+ form is allowed (with or without changes) provided that:
+
+   1. distributions of this source code include the above copyright 
+      notice, this list of conditions and the following disclaimer;
+
+   2. distributions in binary form include the above copyright
+      notice, this list of conditions and the following disclaimer
+      in the documentation and/or other associated materials;
+
+   3. the copyright holder's name is not used to endorse products 
+      built using this software without specific written permission. 
+
+ ALTERNATIVELY, provided that this notice is retained in full, this product
+ may be distributed under the terms of the GNU General Public License (GPL),
+ in which case the provisions of the GPL apply INSTEAD OF those given above.
+ 
+ DISCLAIMER
+
+ This software is provided 'as is' with no explicit or implied warranties
+ in respect of its properties, including, but not limited to, correctness 
+ and/or fitness for purpose.
+ ---------------------------------------------------------------------------
+ Issue Date: 26/08/2003
+*/
+
+#ifndef _SHA1_H
+#define _SHA1_H
+
+#include <limits.h>
+
+#define SHA1_BLOCK_SIZE  64
+#define SHA1_DIGEST_SIZE 20
+
+#if defined(__cplusplus)
+extern "C"
+{
+#endif
+
+/* define an unsigned 32-bit type */
+
+#if UINT_MAX == 0xffffffff
+  typedef   unsigned int     sha1_32t;
+#elif ULONG_MAX == 0xffffffff
+  typedef   unsigned long    sha1_32t;
+#else
+#error Please define sha1_32t as an unsigned 32 bit type in sha2.h
+#endif
+
+/* type to hold the SHA256 context  */
+
+typedef struct
+{   sha1_32t count[2];
+    sha1_32t hash[5];
+    sha1_32t wbuf[16];
+} sha1_ctx;
+
+void sha1_compile(sha1_ctx ctx[1]);
+
+void sha1_begin(sha1_ctx ctx[1]);
+void sha1_hash(const unsigned char data[], unsigned long len, sha1_ctx ctx[1]);
+void sha1_end(unsigned char hval[], sha1_ctx ctx[1]);
+void sha1(unsigned char hval[], const unsigned char data[], unsigned long len);
+
+#if defined(__cplusplus)
+}
+#endif
+
+#endif
diff -up libaesgm-20090429/sha2.c.BAD libaesgm-20090429/sha2.c
--- libaesgm-20090429/sha2.c.BAD	2010-05-24 09:35:26.415540411 -0400
+++ libaesgm-20090429/sha2.c	2010-05-24 09:35:05.496512680 -0400
@@ -0,0 +1,713 @@
+/*
+ ---------------------------------------------------------------------------
+ Copyright (c) 2002, Dr Brian Gladman <                 >, Worcester, UK.
+ All rights reserved.
+
+ LICENSE TERMS
+
+ The free distribution and use of this software in both source and binary 
+ form is allowed (with or without changes) provided that:
+
+   1. distributions of this source code include the above copyright 
+      notice, this list of conditions and the following disclaimer;
+
+   2. distributions in binary form include the above copyright
+      notice, this list of conditions and the following disclaimer
+      in the documentation and/or other associated materials;
+
+   3. the copyright holder's name is not used to endorse products 
+      built using this software without specific written permission. 
+
+ ALTERNATIVELY, provided that this notice is retained in full, this product
+ may be distributed under the terms of the GNU General Public License (GPL),
+ in which case the provisions of the GPL apply INSTEAD OF those given above.
+ 
+ DISCLAIMER
+
+ This software is provided 'as is' with no explicit or implied warranties
+ in respect of its properties, including, but not limited to, correctness 
+ and/or fitness for purpose.
+ ---------------------------------------------------------------------------
+ Issue Date: 26/08/2003
+
+ This is a byte oriented version of SHA2 that operates on arrays of bytes
+ stored in memory. This code implements sha256, sha384 and sha512 but the
+ latter two functions rely on efficient 64-bit integer operations that 
+ may not be very efficient on 32-bit machines
+
+ The sha256 functions use a type 'sha256_ctx' to hold details of the 
+ current hash state and uses the following three calls:
+
+       void sha256_begin(sha256_ctx ctx[1])
+       void sha256_hash(const unsigned char data[], 
+                            unsigned long len, sha256_ctx ctx[1])
+       void sha256_end(unsigned char hval[], sha256_ctx ctx[1])
+
+ The first subroutine initialises a hash computation by setting up the 
+ context in the sha256_ctx context. The second subroutine hashes 8-bit 
+ bytes from array data[] into the hash state withinh sha256_ctx context, 
+ the number of bytes to be hashed being given by the the unsigned long 
+ integer len.  The third subroutine completes the hash calculation and 
+ places the resulting digest value in the array of 8-bit bytes hval[].
+
+ The sha384 and sha512 functions are similar and use the interfaces:
+
+       void sha384_begin(sha384_ctx ctx[1]);
+       void sha384_hash(const unsigned char data[], 
+                            unsigned long len, sha384_ctx ctx[1]);
+       void sha384_end(unsigned char hval[], sha384_ctx ctx[1]);
+
+       void sha512_begin(sha512_ctx ctx[1]);
+       void sha512_hash(const unsigned char data[], 
+                            unsigned long len, sha512_ctx ctx[1]);
+       void sha512_end(unsigned char hval[], sha512_ctx ctx[1]);
+
+ In addition there is a function sha2 that can be used to call all these
+ functions using a call with a hash length parameter as follows:
+
+       int sha2_begin(unsigned long len, sha2_ctx ctx[1]);
+       void sha2_hash(const unsigned char data[], 
+                            unsigned long len, sha2_ctx ctx[1]);
+       void sha2_end(unsigned char hval[], sha2_ctx ctx[1]);
+
+ My thanks to Erik Andersen <andersen@codepoet.org> for testing this code 
+ on big-endian systems and for his assistance with corrections
+*/
+
+/* define the hash functions that you need          */
+
+#define SHA_2           /* for dynamic hash length  */
+#define SHA_256
+#define SHA_384
+#define SHA_512
+
+#include <string.h>     /* for memcpy() etc.        */
+#include <stdlib.h>     /* for _lrotr with VC++     */
+
+#include "sha2.h"
+
+#if defined(__cplusplus)
+extern "C"
+{
+#endif
+
+/*  PLATFORM SPECIFIC INCLUDES */
+
+#if defined( __FreeBSD__ ) || defined( __OpenBSD__ )
+#  include <sys/endian.h>
+#elif defined( BSD ) && ( BSD >= 199103 )
+#  include <machine/endian.h>
+#elif defined( __GNUC__ ) || defined( __GNU_LIBRARY__ )
+#  include <endian.h>
+#  include <byteswap.h>
+#elif defined( linux )
+#  include <endian.h>
+#endif
+
+/*  BYTE ORDER IN 32-BIT WORDS
+
+    To obtain the highest speed on processors with 32-bit words, this code
+    needs to determine the byte order of the target machine. The following 
+    block of code is an attempt to capture the most obvious ways in which 
+    various environemnts define byte order. It may well fail, in which case 
+    the definitions will need to be set by editing at the points marked 
+    **** EDIT HERE IF NECESSARY **** below.  My thanks to Peter Gutmann for 
+    some of these defines (from cryptlib).
+*/
+
+#define BRG_LITTLE_ENDIAN   1234 /* byte 0 is least significant (i386) */
+#define BRG_BIG_ENDIAN      4321 /* byte 0 is most significant (mc68k) */
+
+#if defined( __alpha__ ) || defined( __alpha ) || defined( i386 )       ||   \
+    defined( __i386__ )  || defined( _M_I86 )  || defined( _M_IX86 )    ||   \
+    defined( __OS2__ )   || defined( sun386 )  || defined( __TURBOC__ ) ||   \
+    defined( vax )       || defined( vms )     || defined( VMS )        ||   \
+    defined( __VMS ) 
+
+#define PLATFORM_BYTE_ORDER BRG_LITTLE_ENDIAN
+
+#endif
+
+#if defined( AMIGA )    || defined( applec )  || defined( __AS400__ )  ||   \
+    defined( _CRAY )    || defined( __hppa )  || defined( __hp9000 )   ||   \
+    defined( ibm370 )   || defined( mc68000 ) || defined( m68k )       ||   \
+    defined( __MRC__ )  || defined( __MVS__ ) || defined( __MWERKS__ ) ||   \
+    defined( sparc )    || defined( __sparc)  || defined( SYMANTEC_C ) ||   \
+    defined( __TANDEM ) || defined( THINK_C ) || defined( __VMCMS__ )
+    
+#define PLATFORM_BYTE_ORDER BRG_BIG_ENDIAN
+
+#endif
+
+/*  if the platform is still not known, try to find its byte order  */
+/*  from commonly used definitions in the headers included earlier  */
+
+#if !defined(PLATFORM_BYTE_ORDER)
+
+#if defined(LITTLE_ENDIAN) || defined(BIG_ENDIAN)
+#  if    defined(LITTLE_ENDIAN) && !defined(BIG_ENDIAN)
+#    define PLATFORM_BYTE_ORDER BRG_LITTLE_ENDIAN
+#  elif !defined(LITTLE_ENDIAN) &&  defined(BIG_ENDIAN)
+#    define PLATFORM_BYTE_ORDER BRG_BIG_ENDIAN
+#  elif defined(BYTE_ORDER) && (BYTE_ORDER == LITTLE_ENDIAN)
+#    define PLATFORM_BYTE_ORDER BRG_LITTLE_ENDIAN
+#  elif defined(BYTE_ORDER) && (BYTE_ORDER == BIG_ENDIAN)
+#    define PLATFORM_BYTE_ORDER BRG_BIG_ENDIAN
+#  endif
+
+#elif defined(_LITTLE_ENDIAN) || defined(_BIG_ENDIAN)
+#  if    defined(_LITTLE_ENDIAN) && !defined(_BIG_ENDIAN)
+#    define PLATFORM_BYTE_ORDER BRG_LITTLE_ENDIAN
+#  elif !defined(_LITTLE_ENDIAN) &&  defined(_BIG_ENDIAN)
+#    define PLATFORM_BYTE_ORDER BRG_BIG_ENDIAN
+#  elif defined(_BYTE_ORDER) && (_BYTE_ORDER == _LITTLE_ENDIAN)
+#    define PLATFORM_BYTE_ORDER BRG_LITTLE_ENDIAN
+#  elif defined(_BYTE_ORDER) && (_BYTE_ORDER == _BIG_ENDIAN)
+#    define PLATFORM_BYTE_ORDER BRG_BIG_ENDIAN
+#  endif
+
+#elif defined(__LITTLE_ENDIAN__) || defined(__BIG_ENDIAN__)
+#  if    defined(__LITTLE_ENDIAN__) && !defined(__BIG_ENDIAN__)
+#    define PLATFORM_BYTE_ORDER BRG_LITTLE_ENDIAN
+#  elif !defined(__LITTLE_ENDIAN__) &&  defined(__BIG_ENDIAN__)
+#    define PLATFORM_BYTE_ORDER BRG_BIG_ENDIAN
+#  elif defined(__BYTE_ORDER__) && (__BYTE_ORDER__ == __LITTLE_ENDIAN__)
+#    define PLATFORM_BYTE_ORDER BRG_LITTLE_ENDIAN
+#  elif defined(__BYTE_ORDER__) && (__BYTE_ORDER__ == __BIG_ENDIAN__)
+#    define PLATFORM_BYTE_ORDER BRG_BIG_ENDIAN
+#  endif
+
+#elif 0     /* **** EDIT HERE IF NECESSARY **** */
+#define PLATFORM_BYTE_ORDER BRG_LITTLE_ENDIAN
+
+#elif 0     /* **** EDIT HERE IF NECESSARY **** */
+#define PLATFORM_BYTE_ORDER BRG_BIG_ENDIAN
+
+#else
+#error Please edit sha2.c (line 180 or 183) to set the platform byte order
+#endif
+
+#endif
+
+#ifdef _MSC_VER
+#pragma intrinsic(memcpy)
+#endif
+
+#define rotr32(x,n)   (((x) >> n) | ((x) << (32 - n)))
+
+#if !defined(bswap_32)
+#define bswap_32(x) (rotr32((x), 24) & 0x00ff00ff | rotr32((x), 8) & 0xff00ff00)
+#endif
+
+#if (PLATFORM_BYTE_ORDER == BRG_LITTLE_ENDIAN)
+#define SWAP_BYTES
+#else
+#undef  SWAP_BYTES
+#endif
+
+#if defined(SHA_2) || defined(SHA_256)
+
+#define SHA256_MASK (SHA256_BLOCK_SIZE - 1)
+
+#if defined(SWAP_BYTES)
+#define bsw_32(p,n) { int _i = (n); while(_i--) p[_i] = bswap_32(p[_i]); }
+#else
+#define bsw_32(p,n) 
+#endif
+
+/* SHA256 mixing function definitions   */
+
+#if 0
+
+#define ch(x,y,z)       (((x) & (y)) ^ (~(x) & (z)))
+#define maj(x,y,z)      (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
+
+#else   /* Thanks to Rich Schroeppel and Colin Plumb for the following      */
+
+#define ch(x,y,z)       ((z) ^ ((x) & ((y) ^ (z))))
+#define maj(x,y,z)      (((x) & (y)) | ((z) & ((x) ^ (y))))
+
+#endif
+
+#define s256_0(x) (rotr32((x),  2) ^ rotr32((x), 13) ^ rotr32((x), 22)) 
+#define s256_1(x) (rotr32((x),  6) ^ rotr32((x), 11) ^ rotr32((x), 25)) 
+#define g256_0(x) (rotr32((x),  7) ^ rotr32((x), 18) ^ ((x) >>  3)) 
+#define g256_1(x) (rotr32((x), 17) ^ rotr32((x), 19) ^ ((x) >> 10)) 
+
+/* rotated SHA256 round definition. Rather than swapping variables as in    */
+/* FIPS-180, different variables are 'rotated' on each round, returning     */
+/* to their starting positions every eight rounds                           */
+
+#define h2(i) p[i & 15] += \
+    g256_1(p[(i + 14) & 15]) + p[(i + 9) & 15] + g256_0(p[(i + 1) & 15])
+
+#define h2_cycle(i,j)  \
+    v[(7 - i) & 7] += (j ? h2(i) : p[i & 15]) + k256[i + j] \
+        + s256_1(v[(4 - i) & 7]) + ch(v[(4 - i) & 7], v[(5 - i) & 7], v[(6 - i) & 7]); \
+    v[(3 - i) & 7] += v[(7 - i) & 7]; \
+    v[(7 - i) & 7] += s256_0(v[(0 - i) & 7]) + maj(v[(0 - i) & 7], v[(1 - i) & 7], v[(2 - i) & 7])
+
+/* SHA256 mixing data   */
+
+const sha2_32t k256[64] =
+{   n_u32(428a2f98), n_u32(71374491), n_u32(b5c0fbcf), n_u32(e9b5dba5), 
+    n_u32(3956c25b), n_u32(59f111f1), n_u32(923f82a4), n_u32(ab1c5ed5), 
+    n_u32(d807aa98), n_u32(12835b01), n_u32(243185be), n_u32(550c7dc3), 
+    n_u32(72be5d74), n_u32(80deb1fe), n_u32(9bdc06a7), n_u32(c19bf174), 
+    n_u32(e49b69c1), n_u32(efbe4786), n_u32(0fc19dc6), n_u32(240ca1cc), 
+    n_u32(2de92c6f), n_u32(4a7484aa), n_u32(5cb0a9dc), n_u32(76f988da), 
+    n_u32(983e5152), n_u32(a831c66d), n_u32(b00327c8), n_u32(bf597fc7), 
+    n_u32(c6e00bf3), n_u32(d5a79147), n_u32(06ca6351), n_u32(14292967), 
+    n_u32(27b70a85), n_u32(2e1b2138), n_u32(4d2c6dfc), n_u32(53380d13), 
+    n_u32(650a7354), n_u32(766a0abb), n_u32(81c2c92e), n_u32(92722c85),
+    n_u32(a2bfe8a1), n_u32(a81a664b), n_u32(c24b8b70), n_u32(c76c51a3), 
+    n_u32(d192e819), n_u32(d6990624), n_u32(f40e3585), n_u32(106aa070), 
+    n_u32(19a4c116), n_u32(1e376c08), n_u32(2748774c), n_u32(34b0bcb5), 
+    n_u32(391c0cb3), n_u32(4ed8aa4a), n_u32(5b9cca4f), n_u32(682e6ff3), 
+    n_u32(748f82ee), n_u32(78a5636f), n_u32(84c87814), n_u32(8cc70208), 
+    n_u32(90befffa), n_u32(a4506ceb), n_u32(bef9a3f7), n_u32(c67178f2),
+};
+
+/* SHA256 initialisation data */
+
+const sha2_32t i256[8] =
+{
+    n_u32(6a09e667), n_u32(bb67ae85), n_u32(3c6ef372), n_u32(a54ff53a),
+    n_u32(510e527f), n_u32(9b05688c), n_u32(1f83d9ab), n_u32(5be0cd19)
+};
+
+sha2_void sha256_begin(sha256_ctx ctx[1])
+{
+    ctx->count[0] = ctx->count[1] = 0;
+    memcpy(ctx->hash, i256, 8 * sizeof(sha2_32t));
+}
+
+/* Compile 64 bytes of hash data into SHA256 digest value   */
+/* NOTE: this routine assumes that the byte order in the    */
+/* ctx->wbuf[] at this point is in such an order that low   */
+/* address bytes in the ORIGINAL byte stream placed in this */
+/* buffer will now go to the high end of words on BOTH big  */
+/* and little endian systems                                */
+
+sha2_void sha256_compile(sha256_ctx ctx[1])
+{   sha2_32t    v[8], j, *p = ctx->wbuf;
+
+    memcpy(v, ctx->hash, 8 * sizeof(sha2_32t));
+
+    for(j = 0; j < 64; j += 16)
+    {
+        h2_cycle( 0, j); h2_cycle( 1, j); h2_cycle( 2, j); h2_cycle( 3, j);
+        h2_cycle( 4, j); h2_cycle( 5, j); h2_cycle( 6, j); h2_cycle( 7, j);
+        h2_cycle( 8, j); h2_cycle( 9, j); h2_cycle(10, j); h2_cycle(11, j);
+        h2_cycle(12, j); h2_cycle(13, j); h2_cycle(14, j); h2_cycle(15, j);
+    }
+
+    ctx->hash[0] += v[0]; ctx->hash[1] += v[1]; ctx->hash[2] += v[2]; ctx->hash[3] += v[3];
+    ctx->hash[4] += v[4]; ctx->hash[5] += v[5]; ctx->hash[6] += v[6]; ctx->hash[7] += v[7];
+}
+
+/* SHA256 hash data in an array of bytes into hash buffer   */
+/* and call the hash_compile function as required.          */
+
+sha2_void sha256_hash(const unsigned char data[], unsigned long len, sha256_ctx ctx[1])
+{   sha2_32t pos = (sha2_32t)(ctx->count[0] & SHA256_MASK), 
+             space = SHA256_BLOCK_SIZE - pos;
+    const unsigned char *sp = data;
+
+    if((ctx->count[0] += len) < len)
+        ++(ctx->count[1]);
+
+    while(len >= space)     /* tranfer whole blocks while possible  */
+    {
+        memcpy(((unsigned char*)ctx->wbuf) + pos, sp, space);
+        sp += space; len -= space; space = SHA256_BLOCK_SIZE; pos = 0; 
+        bsw_32(ctx->wbuf, SHA256_BLOCK_SIZE >> 2)
+        sha256_compile(ctx);
+    }
+
+    memcpy(((unsigned char*)ctx->wbuf) + pos, sp, len);
+}
+
+/* SHA256 Final padding and digest calculation  */
+
+static sha2_32t  m1[4] =
+{
+    n_u32(00000000), n_u32(ff000000), n_u32(ffff0000), n_u32(ffffff00)
+};
+
+static sha2_32t  b1[4] =
+{
+    n_u32(80000000), n_u32(00800000), n_u32(00008000), n_u32(00000080)
+};
+
+sha2_void sha256_end(unsigned char hval[], sha256_ctx ctx[1])
+{   sha2_32t    i = (sha2_32t)(ctx->count[0] & SHA256_MASK);
+
+    bsw_32(ctx->wbuf, (i + 3) >> 2)
+    /* bytes in the buffer are now in an order in which references  */
+    /* to 32-bit words will put bytes with lower addresses into the */
+    /* top of 32 bit words on BOTH big and little endian machines   */
+    
+    /* we now need to mask valid bytes and add the padding which is */
+    /* a single 1 bit and as many zero bits as necessary.           */
+    ctx->wbuf[i >> 2] = (ctx->wbuf[i >> 2] & m1[i & 3]) | b1[i & 3];
+
+    /* we need 9 or more empty positions, one for the padding byte  */
+    /* (above) and eight for the length count.  If there is not     */
+    /* enough space pad and empty the buffer                        */
+    if(i > SHA256_BLOCK_SIZE - 9)
+    {
+        if(i < 60) ctx->wbuf[15] = 0;
+        sha256_compile(ctx);
+        i = 0;
+    }
+    else    /* compute a word index for the empty buffer positions  */
+        i = (i >> 2) + 1;
+
+    while(i < 14) /* and zero pad all but last two positions      */ 
+        ctx->wbuf[i++] = 0;
+    
+    /* the following 32-bit length fields are assembled in the      */
+    /* wrong byte order on little endian machines but this is       */
+    /* corrected later since they are only ever used as 32-bit      */
+    /* word values.                                                 */
+
+    ctx->wbuf[14] = (ctx->count[1] << 3) | (ctx->count[0] >> 29);
+    ctx->wbuf[15] = ctx->count[0] << 3;
+
+    sha256_compile(ctx);
+
+    /* extract the hash value as bytes in case the hash buffer is   */
+    /* mislaigned for 32-bit words                                  */
+    for(i = 0; i < SHA256_DIGEST_SIZE; ++i)
+        hval[i] = (unsigned char)(ctx->hash[i >> 2] >> (8 * (~i & 3)));
+}
+
+sha2_void sha256(unsigned char hval[], const unsigned char data[], unsigned long len) 
+{   sha256_ctx  cx[1];
+    
+    sha256_begin(cx); sha256_hash(data, len, cx); sha256_end(hval, cx);
+}
+
+#endif
+
+#if defined(SHA_2) || defined(SHA_384) || defined(SHA_512)
+
+#define SHA512_MASK (SHA512_BLOCK_SIZE - 1)
+
+#define rotr64(x,n)   (((x) >> n) | ((x) << (64 - n)))
+
+#if !defined(bswap_64)
+#define bswap_64(x) (((sha2_64t)(bswap_32((sha2_32t)(x)))) << 32 | bswap_32((sha2_32t)((x) >> 32)))
+#endif
+
+#if defined(SWAP_BYTES)
+#define bsw_64(p,n) { int _i = (n); while(_i--) p[_i] = bswap_64(p[_i]); }
+#else
+#define bsw_64(p,n) 
+#endif
+
+/* SHA512 mixing function definitions   */
+
+#define s512_0(x) (rotr64((x), 28) ^ rotr64((x), 34) ^ rotr64((x), 39)) 
+#define s512_1(x) (rotr64((x), 14) ^ rotr64((x), 18) ^ rotr64((x), 41)) 
+#define g512_0(x) (rotr64((x),  1) ^ rotr64((x),  8) ^ ((x) >>  7)) 
+#define g512_1(x) (rotr64((x), 19) ^ rotr64((x), 61) ^ ((x) >>  6)) 
+
+/* rotated SHA512 round definition. Rather than swapping variables as in    */
+/* FIPS-180, different variables are 'rotated' on each round, returning     */
+/* to their starting positions every eight rounds                           */
+
+#define h5(i) ctx->wbuf[i & 15] += \
+    g512_1(ctx->wbuf[(i + 14) & 15]) + ctx->wbuf[(i + 9) & 15] + g512_0(ctx->wbuf[(i + 1) & 15])
+
+#define h5_cycle(i,j)  \
+    v[(7 - i) & 7] += (j ? h5(i) : ctx->wbuf[i & 15]) + k512[i + j] \
+        + s512_1(v[(4 - i) & 7]) + ch(v[(4 - i) & 7], v[(5 - i) & 7], v[(6 - i) & 7]); \
+    v[(3 - i) & 7] += v[(7 - i) & 7]; \
+    v[(7 - i) & 7] += s512_0(v[(0 - i) & 7]) + maj(v[(0 - i) & 7], v[(1 - i) & 7], v[(2 - i) & 7])
+
+/* SHA384/SHA512 mixing data    */
+
+const sha2_64t  k512[80] = 
+{
+    n_u64(428a2f98d728ae22), n_u64(7137449123ef65cd), 
+    n_u64(b5c0fbcfec4d3b2f), n_u64(e9b5dba58189dbbc),
+    n_u64(3956c25bf348b538), n_u64(59f111f1b605d019),
+    n_u64(923f82a4af194f9b), n_u64(ab1c5ed5da6d8118),
+    n_u64(d807aa98a3030242), n_u64(12835b0145706fbe),
+    n_u64(243185be4ee4b28c), n_u64(550c7dc3d5ffb4e2),
+    n_u64(72be5d74f27b896f), n_u64(80deb1fe3b1696b1),
+    n_u64(9bdc06a725c71235), n_u64(c19bf174cf692694),
+    n_u64(e49b69c19ef14ad2), n_u64(efbe4786384f25e3),
+    n_u64(0fc19dc68b8cd5b5), n_u64(240ca1cc77ac9c65),
+    n_u64(2de92c6f592b0275), n_u64(4a7484aa6ea6e483),
+    n_u64(5cb0a9dcbd41fbd4), n_u64(76f988da831153b5),
+    n_u64(983e5152ee66dfab), n_u64(a831c66d2db43210),
+    n_u64(b00327c898fb213f), n_u64(bf597fc7beef0ee4),
+    n_u64(c6e00bf33da88fc2), n_u64(d5a79147930aa725),
+    n_u64(06ca6351e003826f), n_u64(142929670a0e6e70),
+    n_u64(27b70a8546d22ffc), n_u64(2e1b21385c26c926),
+    n_u64(4d2c6dfc5ac42aed), n_u64(53380d139d95b3df),
+    n_u64(650a73548baf63de), n_u64(766a0abb3c77b2a8),
+    n_u64(81c2c92e47edaee6), n_u64(92722c851482353b),
+    n_u64(a2bfe8a14cf10364), n_u64(a81a664bbc423001),
+    n_u64(c24b8b70d0f89791), n_u64(c76c51a30654be30),
+    n_u64(d192e819d6ef5218), n_u64(d69906245565a910),
+    n_u64(f40e35855771202a), n_u64(106aa07032bbd1b8),
+    n_u64(19a4c116b8d2d0c8), n_u64(1e376c085141ab53),
+    n_u64(2748774cdf8eeb99), n_u64(34b0bcb5e19b48a8),
+    n_u64(391c0cb3c5c95a63), n_u64(4ed8aa4ae3418acb),
+    n_u64(5b9cca4f7763e373), n_u64(682e6ff3d6b2b8a3),
+    n_u64(748f82ee5defb2fc), n_u64(78a5636f43172f60),
+    n_u64(84c87814a1f0ab72), n_u64(8cc702081a6439ec),
+    n_u64(90befffa23631e28), n_u64(a4506cebde82bde9),
+    n_u64(bef9a3f7b2c67915), n_u64(c67178f2e372532b),
+    n_u64(ca273eceea26619c), n_u64(d186b8c721c0c207),
+    n_u64(eada7dd6cde0eb1e), n_u64(f57d4f7fee6ed178),
+    n_u64(06f067aa72176fba), n_u64(0a637dc5a2c898a6),
+    n_u64(113f9804bef90dae), n_u64(1b710b35131c471b),
+    n_u64(28db77f523047d84), n_u64(32caab7b40c72493),
+    n_u64(3c9ebe0a15c9bebc), n_u64(431d67c49c100d4c),
+    n_u64(4cc5d4becb3e42b6), n_u64(597f299cfc657e2a),
+    n_u64(5fcb6fab3ad6faec), n_u64(6c44198c4a475817)
+};
+
+/* Compile 64 bytes of hash data into SHA384/SHA512 digest value  */
+
+sha2_void sha512_compile(sha512_ctx ctx[1])
+{   sha2_64t    v[8];
+    sha2_32t    j;
+
+    memcpy(v, ctx->hash, 8 * sizeof(sha2_64t));
+
+    for(j = 0; j < 80; j += 16)
+    {
+        h5_cycle( 0, j); h5_cycle( 1, j); h5_cycle( 2, j); h5_cycle( 3, j);
+        h5_cycle( 4, j); h5_cycle( 5, j); h5_cycle( 6, j); h5_cycle( 7, j);
+        h5_cycle( 8, j); h5_cycle( 9, j); h5_cycle(10, j); h5_cycle(11, j);
+        h5_cycle(12, j); h5_cycle(13, j); h5_cycle(14, j); h5_cycle(15, j);
+    }
+
+    ctx->hash[0] += v[0]; ctx->hash[1] += v[1]; ctx->hash[2] += v[2]; ctx->hash[3] += v[3];
+    ctx->hash[4] += v[4]; ctx->hash[5] += v[5]; ctx->hash[6] += v[6]; ctx->hash[7] += v[7];
+}
+
+/* Compile 128 bytes of hash data into SHA256 digest value  */
+/* NOTE: this routine assumes that the byte order in the    */
+/* ctx->wbuf[] at this point is in such an order that low   */
+/* address bytes in the ORIGINAL byte stream placed in this */
+/* buffer will now go to the high end of words on BOTH big  */
+/* and little endian systems                                */
+
+sha2_void sha512_hash(const unsigned char data[], unsigned long len, sha512_ctx ctx[1])
+{   sha2_32t pos = (sha2_32t)(ctx->count[0] & SHA512_MASK), 
+             space = SHA512_BLOCK_SIZE - pos;
+    const unsigned char *sp = data;
+
+    if((ctx->count[0] += len) < len)
+        ++(ctx->count[1]);
+
+    while(len >= space)     /* tranfer whole blocks while possible  */
+    {
+        memcpy(((unsigned char*)ctx->wbuf) + pos, sp, space);
+        sp += space; len -= space; space = SHA512_BLOCK_SIZE; pos = 0; 
+        bsw_64(ctx->wbuf, SHA512_BLOCK_SIZE >> 3);        
+        sha512_compile(ctx);
+    }
+
+    memcpy(((unsigned char*)ctx->wbuf) + pos, sp, len);
+}
+
+/* SHA384/512 Final padding and digest calculation  */
+
+static sha2_64t  m2[8] =
+{
+    n_u64(0000000000000000), n_u64(ff00000000000000), 
+    n_u64(ffff000000000000), n_u64(ffffff0000000000),
+    n_u64(ffffffff00000000), n_u64(ffffffffff000000),
+    n_u64(ffffffffffff0000), n_u64(ffffffffffffff00)
+};
+
+static sha2_64t  b2[8] =
+{
+    n_u64(8000000000000000), n_u64(0080000000000000), 
+    n_u64(0000800000000000), n_u64(0000008000000000),
+    n_u64(0000000080000000), n_u64(0000000000800000), 
+    n_u64(0000000000008000), n_u64(0000000000000080)
+};
+
+static void sha_end(unsigned char hval[], sha512_ctx ctx[1], const unsigned int hlen)
+{   sha2_32t    i = (sha2_32t)(ctx->count[0] & SHA512_MASK);
+
+    bsw_64(ctx->wbuf, (i + 7) >> 3);
+
+    /* bytes in the buffer are now in an order in which references  */
+    /* to 64-bit words will put bytes with lower addresses into the */
+    /* top of 64 bit words on BOTH big and little endian machines   */
+    
+    /* we now need to mask valid bytes and add the padding which is */
+    /* a single 1 bit and as many zero bits as necessary.           */
+    ctx->wbuf[i >> 3] = (ctx->wbuf[i >> 3] & m2[i & 7]) | b2[i & 7];
+
+    /* we need 17 or more empty byte positions, one for the padding */
+    /* byte (above) and sixteen for the length count.  If there is  */
+    /* not enough space pad and empty the buffer                    */
+    if(i > SHA512_BLOCK_SIZE - 17)
+    {
+        if(i < 120) ctx->wbuf[15] = 0;
+        sha512_compile(ctx);
+        i = 0;
+    }
+    else
+        i = (i >> 3) + 1;
+
+    while(i < 14)
+        ctx->wbuf[i++] = 0;
+    
+    /* the following 64-bit length fields are assembled in the      */
+    /* wrong byte order on little endian machines but this is       */
+    /* corrected later since they are only ever used as 64-bit      */
+    /* word values.                                                 */
+
+    ctx->wbuf[14] = (ctx->count[1] << 3) | (ctx->count[0] >> 61);
+    ctx->wbuf[15] = ctx->count[0] << 3;
+
+    sha512_compile(ctx);
+
+    /* extract the hash value as bytes in case the hash buffer is   */
+    /* misaligned for 32-bit words                                  */
+    for(i = 0; i < hlen; ++i)
+        hval[i] = (unsigned char)(ctx->hash[i >> 3] >> (8 * (~i & 7)));
+}
+
+#endif
+
+#if defined(SHA_2) || defined(SHA_384)
+
+/* SHA384 initialisation data   */
+
+const sha2_64t  i384[80] = 
+{
+    n_u64(cbbb9d5dc1059ed8), n_u64(629a292a367cd507),
+    n_u64(9159015a3070dd17), n_u64(152fecd8f70e5939),
+    n_u64(67332667ffc00b31), n_u64(8eb44a8768581511),
+    n_u64(db0c2e0d64f98fa7), n_u64(47b5481dbefa4fa4)
+};
+
+sha2_void sha384_begin(sha384_ctx ctx[1])
+{
+    ctx->count[0] = ctx->count[1] = 0;
+    memcpy(ctx->hash, i384, 8 * sizeof(sha2_64t));
+}
+
+sha2_void sha384_end(unsigned char hval[], sha384_ctx ctx[1])
+{
+    sha_end(hval, ctx, SHA384_DIGEST_SIZE);
+}
+
+sha2_void sha384(unsigned char hval[], const unsigned char data[], unsigned long len)
+{   sha384_ctx  cx[1];
+    
+    sha384_begin(cx); sha384_hash(data, len, cx); sha384_end(hval, cx);
+}
+
+#endif
+
+#if defined(SHA_2) || defined(SHA_512)
+
+/* SHA512 initialisation data   */
+
+const sha2_64t  i512[80] = 
+{
+    n_u64(6a09e667f3bcc908), n_u64(bb67ae8584caa73b),
+    n_u64(3c6ef372fe94f82b), n_u64(a54ff53a5f1d36f1),
+    n_u64(510e527fade682d1), n_u64(9b05688c2b3e6c1f),
+    n_u64(1f83d9abfb41bd6b), n_u64(5be0cd19137e2179)
+};
+
+sha2_void sha512_begin(sha512_ctx ctx[1])
+{
+    ctx->count[0] = ctx->count[1] = 0;
+    memcpy(ctx->hash, i512, 8 * sizeof(sha2_64t));
+}
+
+sha2_void sha512_end(unsigned char hval[], sha512_ctx ctx[1])
+{
+    sha_end(hval, ctx, SHA512_DIGEST_SIZE);
+}
+
+sha2_void sha512(unsigned char hval[], const unsigned char data[], unsigned long len) 
+{   sha512_ctx  cx[1];
+    
+    sha512_begin(cx); sha512_hash(data, len, cx); sha512_end(hval, cx);
+}
+
+#endif
+
+#if defined(SHA_2)
+
+#define CTX_256(x)  ((x)->uu->ctx256)
+#define CTX_384(x)  ((x)->uu->ctx512)
+#define CTX_512(x)  ((x)->uu->ctx512)
+
+/* SHA2 initialisation */
+
+sha2_int sha2_begin(unsigned long len, sha2_ctx ctx[1])
+{   unsigned long   l = len;
+    switch(len)
+    {
+        case 256:   l = len >> 3;
+        case  32:   CTX_256(ctx)->count[0] = CTX_256(ctx)->count[1] = 0;
+                    memcpy(CTX_256(ctx)->hash, i256, 32); break;
+        case 384:   l = len >> 3;
+        case  48:   CTX_384(ctx)->count[0] = CTX_384(ctx)->count[1] = 0;
+                    memcpy(CTX_384(ctx)->hash, i384, 64); break;
+        case 512:   l = len >> 3;
+        case  64:   CTX_512(ctx)->count[0] = CTX_512(ctx)->count[1] = 0;
+                    memcpy(CTX_512(ctx)->hash, i512, 64); break;
+        default:    return SHA2_BAD;
+    }
+    
+    ctx->sha2_len = l; return SHA2_GOOD;
+}
+
+sha2_void sha2_hash(const unsigned char data[], unsigned long len, sha2_ctx ctx[1])
+{
+    switch(ctx->sha2_len)
+    {
+        case 32: sha256_hash(data, len, CTX_256(ctx)); return;
+        case 48: sha384_hash(data, len, CTX_384(ctx)); return;
+        case 64: sha512_hash(data, len, CTX_512(ctx)); return;
+    }
+}
+
+sha2_void sha2_end(unsigned char hval[], sha2_ctx ctx[1])
+{
+    switch(ctx->sha2_len)
+    {
+        case 32: sha256_end(hval, CTX_256(ctx)); return;
+        case 48: sha_end(hval, CTX_384(ctx), SHA384_DIGEST_SIZE); return;
+        case 64: sha_end(hval, CTX_512(ctx), SHA512_DIGEST_SIZE); return;
+    }
+}
+
+sha2_int sha2(unsigned char hval[], unsigned long size,
+                                const unsigned char data[], unsigned long len)
+{   sha2_ctx    cx[1];
+
+    if(sha2_begin(size, cx) == SHA2_GOOD)
+    {
+        sha2_hash(data, len, cx); sha2_end(hval, cx); return SHA2_GOOD;
+    }
+    else
+        return SHA2_BAD;
+}
+
+#endif
+
+#if defined(__cplusplus)
+}
+#endif
+
+
diff -up libaesgm-20090429/sha2.h.BAD libaesgm-20090429/sha2.h
--- libaesgm-20090429/sha2.h.BAD	2010-05-24 09:35:26.416537685 -0400
+++ libaesgm-20090429/sha2.h	2010-05-24 09:50:47.186423842 -0400
@@ -0,0 +1,154 @@
+/*
+ ---------------------------------------------------------------------------
+ Copyright (c) 2002, Dr Brian Gladman <                 >, Worcester, UK.
+ All rights reserved.
+
+ LICENSE TERMS
+
+ The free distribution and use of this software in both source and binary 
+ form is allowed (with or without changes) provided that:
+
+   1. distributions of this source code include the above copyright 
+      notice, this list of conditions and the following disclaimer;
+
+   2. distributions in binary form include the above copyright
+      notice, this list of conditions and the following disclaimer
+      in the documentation and/or other associated materials;
+
+   3. the copyright holder's name is not used to endorse products 
+      built using this software without specific written permission. 
+
+ ALTERNATIVELY, provided that this notice is retained in full, this product
+ may be distributed under the terms of the GNU General Public License (GPL),
+ in which case the provisions of the GPL apply INSTEAD OF those given above.
+ 
+ DISCLAIMER
+
+ This software is provided 'as is' with no explicit or implied warranties
+ in respect of its properties, including, but not limited to, correctness 
+ and/or fitness for purpose.
+ ---------------------------------------------------------------------------
+ Issue Date: 26/08/2003
+*/
+
+#ifndef _SHA2_H
+#define _SHA2_H
+
+#include <limits.h>
+
+/*  Defines for suffixes to 32 and 64 bit unsigned numeric values   */
+
+#define sfx_lo(x,y) x##y
+#define sfx_hi(x,y) sfx_lo(x,y)
+#define n_u32(p)    sfx_hi(0x##p,s_u32)
+#define n_u64(p)    sfx_hi(0x##p,s_u64)
+
+/* define an unsigned 32-bit type */
+
+#if UINT_MAX == 0xffffffff
+  typedef   unsigned int     sha2_32t;
+  #define s_u32    u
+#elif ULONG_MAX == 0xffffffff
+  typedef   unsigned long    sha2_32t;
+  #define s_u32   ul
+#else
+#error Please define sha2_32t as an unsigned 32 bit type in sha2.h
+#endif
+
+/* define an unsigned 64-bit type */
+
+#if defined(_MSC_VER) && (_MSC_VER < 1300)
+  typedef unsigned __int64   sha2_64t;
+  #define s_u64 ui64
+#elif ULONG_MAX == 0xffffffffffffffff
+  typedef unsigned long      sha2_64t;
+  #define s_u64   ul
+#elif ULONG_MAX == 0xffffffff
+  typedef unsigned long long sha2_64t;   /* a somewhat dangerous guess */
+  #define s_u64  ull
+#else
+#error Please define sha2_64t as an unsigned 64 bit type in sha2.h
+#endif
+
+#if defined(__cplusplus)
+extern "C"
+{
+#endif
+
+#define SHA256_DIGEST_SIZE  32
+#define SHA384_DIGEST_SIZE  48
+#define SHA512_DIGEST_SIZE  64
+
+#define SHA256_BLOCK_SIZE   64
+#define SHA384_BLOCK_SIZE  128
+#define SHA512_BLOCK_SIZE  128
+
+#define SHA2_MAX_DIGEST_SIZE    SHA512_DIGEST_SIZE
+
+#define SHA2_GOOD   0
+#define SHA2_BAD    1
+
+/* type to hold the SHA256 context              */
+
+typedef struct
+{   sha2_32t count[2];
+    sha2_32t hash[8];
+    sha2_32t wbuf[16];
+} sha256_ctx;
+
+/* type to hold the SHA384/512 context          */
+
+typedef struct
+{   sha2_64t count[2];
+    sha2_64t hash[8];
+    sha2_64t wbuf[16];
+} sha512_ctx;
+
+typedef sha512_ctx  sha384_ctx;
+
+/* type to hold a SHA2 context (256/384/512)  */
+
+typedef struct
+{   union
+    {   sha256_ctx  ctx256[1];
+        sha512_ctx  ctx512[1];
+    } uu[1];
+    sha2_32t    sha2_len;
+} sha2_ctx;
+
+#ifndef SHA2_DLL                  /* implement normal or DLL functions   */
+#define sha2_void   void
+#define sha2_int    int
+#else
+#define sha2_void   void __declspec(dllexport) _stdcall
+#define sha2_int    int  __declspec(dllexport) _stdcall
+#endif
+
+sha2_void sha256_compile(sha256_ctx ctx[1]);
+sha2_void sha512_compile(sha512_ctx ctx[1]);
+
+sha2_void sha256_begin(sha256_ctx ctx[1]);
+sha2_void sha256_hash(const unsigned char data[], unsigned long len, sha256_ctx ctx[1]);
+sha2_void sha256_end(unsigned char hval[], sha256_ctx ctx[1]);
+sha2_void sha256(unsigned char hval[], const unsigned char data[], unsigned long len); 
+
+sha2_void sha384_begin(sha384_ctx ctx[1]);
+#define sha384_hash sha512_hash
+sha2_void sha384_end(unsigned char hval[], sha384_ctx ctx[1]);
+sha2_void sha384(unsigned char hval[], const unsigned char data[], unsigned long len); 
+
+sha2_void sha512_begin(sha512_ctx ctx[1]);
+sha2_void sha512_hash(const unsigned char data[], unsigned long len, sha512_ctx ctx[1]);
+sha2_void sha512_end(unsigned char hval[], sha512_ctx ctx[1]);
+sha2_void sha512(unsigned char hval[], const unsigned char data[], unsigned long len); 
+
+sha2_int  sha2_begin(unsigned long size, sha2_ctx ctx[1]);
+sha2_void sha2_hash(const unsigned char data[], unsigned long len, sha2_ctx ctx[1]);
+sha2_void sha2_end(unsigned char hval[], sha2_ctx ctx[1]);
+sha2_int  sha2(unsigned char hval[], unsigned long size, const unsigned char data[], unsigned long len); 
+
+#if defined(__cplusplus)
+}
+#endif
+
+#endif